REMARKS 

Reconsideration of the above-identified patent application in view of the 
amendments above and the remarks following is respectfully requested. 

Claims 1-22 are in this case. Claims 15 and 20-22 have been rejected under 
§ 10L Claims 1-22 have been rejected under § 103(a), Independent claim 15 has 
been canceled. Independent claims 1, 11, 16 5 17 and 20 have been amended. 

Specifically, claims 1, 11, 16, 17 and 20 have been amended to recite the 
limitation that the monitoring is for (a) suspicious portion(s) of data in a portion of the 
stream of data traffic that is expected to lack executable code. Support for these 
amendments is found in the specification at least on page 8 line 30 through page 9 line 
5: 

Suspicious data includes data inconsistent with the protocol in use. For 
instance, an illegal character is filtered out of a stream of data traffic, 
e.g. HTTP traffic. The illegal character is unexpected as part of the 
protocol definition in the input data stream. Another option of such 
filtering is to treat all parts of the protocol as suspicious except for 
parts of the protocol that were specifically marked by the protocol to 
contain exec utable code. For example, an URL of a HTTP request is 
suspicious since any executable code segment found within it will 
constitute a worm, (emphasis added) 

Note that page 6 lines 24-29 defines the stream of data traffic as possibly including 

both "legitimate executable code' 5 (page 6 line 29) and "non-executable code, i.e. 

HTML" (page 6 line 26). 

§101 Rejections 

The Examiner has rejected claims 15 and 20-22 under § 101, as directed to 
non-statutory subject matter. The Examiner's rejection is respectfully traversed. 

Claim 15 has been canceled, thereby rendering moot the Examiner's rejection 
of this claim. 
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With regard to the rejection of claims 20-22, contrary to the Examiner's 
interpretation of these claims, the scope of these claims includes both software 
embodiments and hardware embodiments. It is well known in the art that hardware 
and software are equivalent. See e.g. Andrew S. Tanenbaum, Structured Computer 
Organization, 4 th Edition (Prentice-Hall International, 1998) page 8 (copy attached): 

Hardware and software are logically equivalent. 

Any operation performed by software can also be built directly 
into the hardware, preferably after it is sufficiently well understood. 
As Karen Panetta Lentz put it: "Hardware is just petrified software." 
Of course, the reverse is also true" any instruction executed by the 
hardware can also be simulated in software. The decision to put 
certain functions in hardware and others in software is based on such 
factors as cost, speed, reliability and frequency of expected changes. 
There are few hard and fast rules to the effect that X must go into the 
hardware and Y must be programmed explicitly. These decisions 
change with trends in technology and computer usage, (emphasis in 
original) 

The specification as filed states explicitly, on page 6 lines 7-9: 

,„it is to be understood that the invention is not limited in its 
application to the details of construction and the arrangement of the 
components set forth in the following description or illustrated in the 
drawings. 

on page 6 lines 15-17: 

It is important, therefore, that the claims be regarded as including such 
equivalent constructions insofar as they do not depart from the spirit 
and scope of the present invention. 

and on page 12 lines 1-2: 

...and accordingly, all suitable modifications and equivalents may be 
resorted to, fal ling within the scope of the invention. 

It follows that the scope of claims 20-22 includes not just the software embodiments 

described in the specification but also their hardware equivalents. 
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S 103(a) Rejections - Vella '913 in view of Schmail 

The Examiner has rejected claims 1, 3 and 20 under § 103(a) as being 
unpatentable over Vella, US Patent Application Publication No. 2003/0212913 
(henceforth, "Vella '913") in view of Schmail, "Classification and identification of 
malicious code based on heuristic techniques using Meta languages" (Hamburg 2003) 
(henceforth, "Schmail"). The Examiner's rejection is respectfully traversed. 

Schmail is cited by the Examiner only as teaching the limitations of steps (c) 
and (d) of claim 1 and the functionality of element (c) of claim 20. Therefore, the 
following argument concentrates on Vella 6 913. 

Vella "913 teaches a system 10 for detecting malicious code in executable 
attachments of e-mail and in downloaded executable files. An electronic mail 
analyzer 11 identifies executable attachments of e-mail and forwards the executable 
attachments to an executable file analyzer 13 for analysis, A download analyzer 14 
identifies executable files in downloads and forwards the executable files to 
executable file analyzer 13 for analysis. 

In other words, Vella '913 monitors a stream of data traffic specifically for e- 
maii attachments and downloaded files that are known a priori to be executable even 
before the attachments and files are inspected by executable file analyzer 13. By 
contrast, the present invention, as recited in independent claims 1 and 20 as now 
amended, monitors a stream of data traffic for suspicious data in a portion of the 
stream of data traffic that is specifically expected not to include executable code. 

In order for independent claims 1 and 20 to be unpatentable over Vella c 913 in 
view of Schmail, these references must teach or suggest every recited limitation. As 
the Board of Patent Appeal and Interferences has confirmed in In re Wada and 
Murphy, Appeal 2007^3733, 
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When determining whether a claim is obvious, an examiner 
must make "a searching comparison of the claimed invention - 
including all its limitations - within the teaching of the prior art". In 
re OrchiaU 71 F.3d 1565, 1572 (Fed. Cir. 1995) (emphasis added). 
Thus, "Obviousness requires a suggestion of all limitations in a claim/' 
CFMT, Inc. v. Yieldup Intern. Corp., 349 F3d 1333, 1342 (Fed Cir. 
2003) (citing In re Royka, 490 F.2d 981, 985 (CCPA 1974)). 

In the present case, neither Vella '913 nor Schmall teach, hint or suggest monitoring a 

stream of data traffic for suspicious data in a portion of the stream of data traffic that 

is expected, a priori, not to include executable code. It follows that independent 

claims 1 and 20 are allowable in their present form over the prior art cited by the 

Examiner. 

With independent claim 1 allowable in its present form it follows that claim 3 
that depends therefrom also is allowable. 

§ 103(a) Rejections - Vella '913 in view of Schmall and further in view of Muttik 

'780 

The Examiner has rejected claims 11, 16 and 17 under § 103(a) as being 
unpatentable over Vella 4 9 13 in view of Schmall and further in view of Muttik, US 
Patent No. 6,775,780 (henceforth, "Muttik £ 780")- The Examiner's rejection is 
respectfully traversed. 

Muttik '780 teaches an emulator 110 for detecting malicious code in code 108 
that has been introduced to a computer system 106. As in the case of Velia '913, code 
108 is known a priori to be executable. Therefore, the arguments above that 
demonstrate the allowability of independent claims 1 and 20 over the prior art cited by 
the Examiner also show, mutatis mutandis, that independent claims 11,16 and 17 also 
are allowable in their present form over the prior art cited by the Examiner. 
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§ 103(a) Rejections - Veila '913 in view of Schmali and Muttik '780 and further 

in view of Shipley '236 

The Examiner has rejected claims 2, 6, 7, 14 and 15 under § 103(a) as being 
unpatentable over Vella '913 in view of Schmali and Muttik 4 780 and further in view 
of Shipley, US Patent No. 6,119,236. The Examiner's rejection is respectfully 
traversed. 

Claim 15 has been canceled, thereby rendering moot the Examiner's rejection 
of this claim. 

It has been demonstrated above that claims 1 and 1 1 are allowable in their 
present form. It follows that claims 2, 6, 7 and 14 that depend therefrom also are 
allowable. 

§ 103(a) Rejections — Vella '913 in view of Schmali and further in view of 

Touboul '194 

The Examiner has rejected claim 4 under § 103(a) as being unpatentable over 
Vella 4 913 in view of Schmali and further in view of Touboul, US Patent No. 
6,092,194. The Examiner's rejection is respectfully traversed. 

It has been demonstrated above that claim 1 is allowable in its present form. It 
follows that claim 4 that depends therefrom also is allowable, 

$ 103(a) Rejections - Vella '913 in view of Schmali and Muttik '780 and further 

in view of Made '076 

The Examiner has rejected claims 5, 8, 9, 12, 13, 18, 19, 21 and 22 under 
§ 103(a) as being unpatentable over Vella 4 913 in view of Schmali and Muttik "780 
and further in view of Made, US Patent Application Publication No. 2002/0056076 
(henceforth, "Made '076"). The Examiner's rejection is respectfully traversed. 
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It has been demonstrated above that independent claims 1 5 11, 17 and 20 are 
allowable in their present form. It follows that claims 5, 8, 9, 12, 13, 18, 19, 21 and 
22 that depend therefrom also are allowable. 



New Claims 

New claims 23-26 add to claims 8, 12, 18 and 21, respectively, the limitation 

that the attempt to disassemble or convert is initiated at every offset within the 

suspicious portion(s) of data. Support for these claims is found in the specification as 

filed at least on page 9 lines 19-23: 

However, in case a vulnerable return address is not detected, and 
without any advance knowledge regarding any other execution 
mechanism the attacker is attempting to use, then in order to perform a 
disassembly and analyze the input stream for malicious code, 
instruction analyzer 405 needs to perform a disassembly within the 
suspicious data starting from every possi ble offset , (emphasis added) 

and on page 9 line 30 through page 10 line 1 : 

Otherwise, instruction analyzer 405 chooses (step 505) an offset for 
example, by enumerating over all poss ible offsets , and attempts to 
disassemble (step 507) the data of the input stream subsequent to the 
chosen offset, (emphasis added) 
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In view of the above amendments and remarks it is respectfully submitted that 
independent claims 1, 11, 16, 17 and 20, and hence dependent claims 2-9, 12-14, 18, 
19, 21 and 22 are in condition for allowance. Prompt notice of allowance is 
respectfully and earnestly solicited. 

Respectfully submitted, 

Mark ML Friedman 
Attorney for Applicant 
Registration No, 33,883 

Date: September 23, 2009 



16 



STRUCTURED 
COMPUTER ORGANIZATION 

FOURTH EDITION 



ANDREW S. TANENBAUM 

Vrije Universiteit 
Amsterdam, The Netherlands 



With contributions from 
JAMES R. GOODMAN 

University of Wisconsin 
Madison, WI 



PRENTICE-HALL INTERNATIONAL 



INTRODUCTION CHAP. 1 SEC. 1 



1.1.3 Evolution of Multilevel Machines 



Lentz put it: "Hardware is iust n^rifW * ™«mood. As Karen Panetta 
true: any instruction executed bwlf h ^ ° f COUrSe ' the reverse " ^o 

The decision to put certain functions Sir 8 ^ f° * in Software - 

on such factors P as co speed SoilS IT/"* ? S ° ftWare is based 

There are few hard and VaXes ^lE^S^i* < * pec ? d Changes - 
and Y must be programmed exnlicidv ThI f • * g ° 1Dt ° ^ har <*ware 
technology and cLpu^sage Y " deC1S, ° nS Change with *»* 

The Invention of Microprogramming 

leveUn whlh^ tW ° levels: ISA 

executed these pro g 7ai ^^L ^Z'?* ^* 8 ™ 3 ° gk IeVel * which 
ficuh to understand J£&Z3S£T* ' " COm P licated > 

gestfd 3E Un ™^ Cambridge, sug- 

the hardware (W Ikes 1951 ) nt^l 0 ™ 9111 * ? ° fder to ^^ically simplify 
interpreter (the miSp^ ^ ^J£™ 

grams by mutation. Because the hardware hav^eSS 



microp 
grams, 
be nee 
a simp 
A 

were c 
interpr 



The h 

Id 



the/histS 6 d'KTSSr ^k^' WC Wi " brfef * —nine 
evolved over me tSS^^^^T^^ ° Uhe levels has 

(level 1) can be dLctly exSed bTrnTol ?^ W f S ^ machine lan S ua ^ 
without any *t^S£* o SHE,' *E?i2P' 
along with lie memory and input/cutout devi^l £L ? elect ronic circuits, 

Hardware consists of tannbteriS £ ♦! U the com P uter '« hardware. inant. 
cables, power suppHe Temori an7 T™' pri " ted drcuit boa ^ 

rithms, or instructions ' ^^^er than abstract ideas, algo^ 

how^ome^^ (f--W instructions telling 

Programs can be stored on h^nC^r^RO^n^' ^ ^ 

the essence of software is th^ «»t n fL **:- , CD-ROM, or other media but sign-u 

thephyaiea, medi^^^^r 8 """ « ^ ' 

the addition, remJa^ °r5"* of tevH °, co " sid «f ly, primarily due to input 
/fcr<W e W software are logically equivalent. If 
Lentz put it: "Hardware is ;„., Mlrif „ ri * s P=>"«» 



go thr 



t "He 



